That the U.S. National Security Agency cracks encryption comes as no surprise -- code-breaking is part of the spy agency's mission -- but reports that the NSA went too far by urging software companies to insert backdoors and weaknesses into their code has raised valid questions over the viability of today's commercial encryption technologies. The latest Snowden document leaks, reported by The New York Times and The Guardian late last week, said the agency has cracked or evaded encryption used in much of the Internet's sensitive communications today, potentially exposing users' encrypted email, online chats, and phone calls.
"I don't find it particularly surprising that their agenda was to crack all the crypto -- that has always been their agenda," says Lawrence Garvin, head geek at SolarWinds. But what's still unclear in the latest Snowden revelations is whether the NSA can successfully crack newer, stronger encryption technology, he says.
The latest developments indicate potentially glaring overreach by the NSA, and security experts in response are calling for efforts to speed up some long-awaited updates to the Internet's underlying TCP/IP protocols.
"This should speed up the [adoption] of new protocols," says Stephen Cobb, security evangelist for ESET. "Ten years down the road, we may look back and say we avoided massive cyberattacks because we took measures to improve our security. Ironically, it was prompted by our own government agency [the NSA]."
Crytpo expert Bruce Schneier in a blog post last week publicly called for a re-engineering of the Internet to thwart spying, urging the use of open protocols that are harder for the NSA to subvert. Schneier said the Internet Engineering Task Force's meeting in November should be "dedicated" to this topic. "This is an emergency, and demands an emergency response," Schneier said.
IETF chair Jari Arkko today confirmed that security, indeed, will be under discussion at the IETF November meeting in Vancouver: "We have obviously been disturbed by the revelations, and continue to do our best to improve the Internet security in view of these and other threats," Arkko says. "We have a policy to employ strong security mechanisms, and we care a lot about having trusted services and protocols in the Internet. We are discussing this topic, and we will discuss it in our next meeting. There may be some technical improvements that are helpful."
Internet security isn't just about technology, however, Arkko says. "Communications security will not help if you do not trust the party that you are communicating with, or the device that you are using," he says.
The IETF already is working on a new version of the Transport Layer Security (TLS) protocol that ratchets up security to prevent eavesdropping and tampering, as well as other efforts to beef up encryption algorithms. Also in the works is mandatory security for HTTP 2.0.
"I believe mandatory security in HTTP 2.0, in particular, if adopted, would be helpful against eavesdropping in some situations," Arkko says. But he cautions that it must be coupled with trust between the communicating parties, he says, or else "complete protection for eavesdropping is difficult to achieve."
[NSA says it only touches about 1% of online communications in the U.S. See NSA Responds To Criticism Over Surveillance Programs .]
At the heart of many of the Internet's security woes is the old "on the Internet, no one knows you're a dog" problem: the ability to remain anonymous or to pose as someone you're not. One key solution would be to authenticate packets, says David Frymier, CISO and vice president at Unisys.
The next-generation IP protocol, IPv6, holds some promise for this, he says. "With IPv6, if you require authentication of packets, a lot of problems ... go away," Frymier says. "A lot of Internet problems are derived from the fact you can do things anonymously and spoof your identity, such as man-in-the middle attacks."
Frymier says the NSA is basically exploiting incorrectly implemented or designed technologies to get to the intelligence it wants. And bad guys can do the same, he says. "I stood in front of a computer that I knew was infected, yet it came up clean even though I could see it beaconing to a server in China," he says. "The fact is bad guys know how to get inside Windows in such a way that you just can't tell they are there."
Look for new encryption software to emerge as well. "I think the latest revelation will energize efforts to improve some of the security and privacy fundamentals" of the Internet protocols, ESET's Cobb says. "I think we will see a lot of growth in ... new encryption software, for example, that could potentially defeat current NSA capabilities."
James Clapper, director of national intelligence, said in a statement yesterday that it's no secret the U.S. intelligence community gathers "information about economic and financial matters, and terrorist financing."
"What we do not do, as we have said many times, is use our foreign intelligence capabilities to steal the trade secrets of foreign companies on behalf of -- or give intelligence we collect to -- U.S. companies to enhance their international competitiveness or increase their bottom line," Clapper said.
"As we have said previously, the United States collects foreign intelligence -- just as many other governments do -- to enhance the security of our citizens and protect our interests and those of our allies around the world. The intelligence community's efforts to understand economic systems and policies and monitor anomalous economic activities is critical to providing policy makers with the information they need to make informed decisions that are in the best interest of our national security," he said.
The latest NSA revelations late last week from the Snowden files don't mean that encryption or the Internet are broken, however, experts say. The NSA appears to have set its sights on a common weakness in encryption: the deployment, management, and storage of encryption keys, experts say.
Older algorithms with shorter bit-key lengths were brute-forcible by the NSA, Unisys' Frymier says. But the "other 10 percent" of encryption using longer bit-key lengths is still safe from NSA snooping, he says. "If you've got strong encryption properly implemented with a secure key management structure, then you're safe from the NSA," he says.
The NSA is basically boiling the ocean, he says, and most organizations in comparison have a relatively small set of data that they need to protect. "I'm convinced this is possible to have a secure communications system," Frymier says. Aside from strong encryption that's properly deployed, that would also entail managing your own keys and better control of endpoints so they can securely transmit data, he says.
"The Internet is not broken," he says. "I'm not surprised by any of this at all. It's not just the NSA that's doing this. The Chinese are doing it" as well, he says.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.